summaryrefslogtreecommitdiff
path: root/inventory/host_vars/ch-mimas.yml
blob: bc09509d6c55492e3246cb35a7e10afb1b9face0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
---
system_lvm_volume_size_root: 3G
install:
  cloud:
    credentials:
      token: "{{ vault_hcloud_api_token }}"
    server_name: "{{ host_name }}"

external_ip: "116.203.212.131"
external_ip6: "2a01:4f8:c2c:906c::2"

apt_repo_components:
  - main
  - contrib  ## for zfs
  - non-free-firmware

spreadspace_apt_repo_components:
  - prometheus


sshd_allowusers_host: "{{ admin_users_host + (['git'] | product(gitolite_instances | list) | map('join', '-')) }}"

ssh_keys_root_extra:
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBjZEFZLrl2KIqYl/GU8Vkp7mlhAbFbjwf4Ht9zQRmI8 ZFS Backup syncoid@epimetheus


ntp_variant: systemd-timesyncd


nginx_server_names_hash_bucket_size: 64
acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"


zfs_arc_size:
  min: 256MB
  max: 1GB

zfs_pools:
  storage:
    mountpoint: /srv/storage
    create_vdevs: "/dev/mapper/{{ host_name | replace('-', '--') }}-storage"

zfs_sanoid_modules:
  storage:
    use_template: production
    recursive: yes
    process_children_only: yes


wireguard_p2p_interface:
  name: remote0
  description: connection to chaos-at-home internal services
  listen_port: 51820
  addresses:
  - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}"
  static_routes:
  - dest: "{{ network_zones.svc.prefix }}"
    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
  - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"
    gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"

wireguard_p2p_peers:
  - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI="
    endpoint:
      host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}"
      port: 51820
    allowed_ips:
    - "{{ network_zones.remote.prefix }}"
    - "{{ network_zones.svc.prefix }}"
    - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32"


bind_option_empty_zones_enable: no
bind_option_allow_transfer: []
bind_option_allow_recursion:
  - localhost
bind_option_notify: 'no'

bind_stats_channels:
  - addr: 127.0.0.1
    port: 8053
    allow:
    - 127.0.0.1

bind_zone_blacklist:
  - onion
  - zip
  - mov
bind_slave_zones:
  pan:
    masters:
    - 89.106.215.19
    - 2a02:3e0:407::19
    zones:
    ## formerly known as self
    - chaos-at-home.org
    - chaox.org
    - spreadspace.org
    - spreadspace.com
    - spreadspace.net
    - spreadspace.systems
    - elev8.at
    - java-sucks.com
    - xn--gh-via.org
    - schaaas.at
    ## formerly known as others
    - gimpf.org
    - movetogether.at

  realraum:
    masters:
    - 89.106.211.33
    - 2a02:3e0:4000:1::1
    zones:
    - realraum.at
    - r3.at
    - hack-challenge.at

  funkfeuer:
    masters:
    - 193.33.150.114
    zones:
    - ffgraz.net
    - graz.funkfeuer.at
    - 10.in-addr.arpa
    - 150.33.193.in-addr.arpa
    - 151.33.193.in-addr.arpa


prometheus_scrape_endpoint: "{{ external_ip }}:9999"

prometheus_exporters_extra:
  - bind

prometheus_job_multitarget_blackbox__probe:
  ch-mon:
  - svc_kind: ssh
    svc_instance: "{{ inventory_hostname }}"
    target: "{{ external_ip }}:{{ ansible_port | default(22) }}"
    module: ssh_banner
  - svc_kind: https
    svc_instance: "mimas.chaos-at-home.org"
    target: "https://mimas.chaos-at-home.org"
    module: http_tls_2xx


gitolite_storage:
  type: zfs
  pool: storage
  name: git
  properties:
    quota: 1G
    compression: lz4

gitolite_instances:
  spreadspace:
    primary_admin_key: "{{ users.equinox.ssh | first }}"
    http:
      hostnames:
      - git.spreadspace.org
      - git.spreadspace.com
      - git.spreadspace.net
      - git.spreadspace.systems
      tls:
        certificate_provider: acmetool
      enable_git_backend: yes
      title: spreadspace
      description: spreadspace GIT Repoistories